Wiresharks main functionality is the ability to capture traffic on a computers network interface card and present the packets in a human readable format. It can parse and display fields for many different networking protocols.
Wireshark and tcpdump use libpcap to get live network data.Tshark is a command line tool of Wireshark. It will use the pcap library to capture traffic from the available network interface.
Year: 1998
Original Name: Ehtereal
Author: Gerald Combs
we will look at how Wireshark handles capturing and processing packets. There are several internal components to Wireshark that take raw packets and formats them into a readable format. The components involved are the network interface card, link layer driver, dumpcap engine, the core engine, wiretap library and the graphical toolkit.
LibPcap/WinPcap: Wireshark uses a computers network interface card to receive traffic for analysis. When traffic is passed up to Wireshark it first uses two link layer drives called libpcap and WinPcap, These drivers provide access to raw data on on the network. WinPcap is used on a Windows hosts and Libpcap is used on a Linux or OS x host.
DumPcap Capture Engine: The next component in the capture process is the dumpcap, also known as the capture engine. The dumpcap engine does the actual capturing of packets. The frames are passed from the libpcap/WinPcap drivers into the dumpcap capture engine.
Core Engine: The capture engine passes frames to the core engine, this is where the magic happens. Dissectors are used at this time to translate the incoming packets into a human readable format. When a packets comes into the core engine it detects the frame type and passes it to the correct frame dissector. The dissector takes the packet and breaks apart the fields so it can be displayed using the GUI.
GIMP ToolKit: It is used to create the graphical user interface for Wireshark. This provides users the ability to interact with a packet capture, open, save, add display filters, etc.
ip.addr==192.168.93.129
filtering by
ipaddress
like wise,
ip.src==192.168.93.129
ip.dst==192.168.93.129
!ip.addr==192.168.93.129
filtering by not
with ipaddress 192.168.93.129
eth.addr==00:0c:29:f6:c2:c8
filtering with mac
address
like wise,
eth.src==MAC address
eth.dst==MAC address
tcp
filtering with
protocol tcp
like wise,
udp
http
https
dns
icmp
ftp
ip.proto == 6 and
tcp.flags == 18
compound filters
using "and"
tcp.port==80 &&
ip.addr==192.168.93.129
compound filters
with ip and port
